Description of problem: openvpn fails to start since it cannot read/write to /var/log/openvpn. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-342.el5 selinux-policy-targeted-2.4.6-342.el5 selinux-policy-minimum-2.4.6-342.el5 selinux-policy-devel-2.4.6-342.el5 selinux-policy-strict-2.4.6-342.el5 selinux-policy-mls-2.4.6-342.el5 openvpn-2.3.1-1.el5 How reproducible: always. Steps to Reproduce: 1. update to openvpn 2.3.1 2. try to start it 3. profit. Actual results: openvpn is unable to read/write /var/log/openvpn and won't start. Expected results: openvpn is able to read/write /var/log/openvpn and starts. Additional info: * audit.log: type=AVC msg=audit(1369295332.800:771735): avc: denied { read write } for pid=27856 comm="openvpn" name="openvpn" dev=dm-3 ino=263685 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_log_t:s0 tclass=dir * file context: /var/log/openvpn.* all files system_u:object_r:openvpn_var_log_t:s0 * sesearch -A -s openvpn_t | grep openvpn_var_log_t: allow openvpn_t openvpn_var_log_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; --> class "dir" is missing anyways: openvpn_t is allowed to read/write to var_log_t. Following AVCs appeared in permissive mode: ---- time->Thu May 23 15:49:27 2013 type=PATH msg=audit(1369316967.990:995): item=0 name="/var/log/openvpn" inode=41295 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:openvpn_var_log_t:s0 type=CWD msg=audit(1369316967.990:995): cwd="/etc/openvpn" type=SYSCALL msg=audit(1369316967.990:995): arch=40000003 syscall=33 success=yes exit=0 a0=90fd8f8 a1=7 a2=90fddf4 a3=90fd8f8 items=1 ppid=32672 pid=32681 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1369316967.990:995): avc: denied { read } for pid=32681 comm="openvpn" name="openvpn" dev=sda3 ino=41295 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir ---- time->Thu May 23 15:49:27 2013 type=PATH msg=audit(1369316967.983:994): item=1 name="/var/log/openvpn/log" inode=38094 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:openvpn_var_log_t:s0 type=PATH msg=audit(1369316967.983:994): item=0 name="/var/log/openvpn/" inode=41295 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:openvpn_var_log_t:s0 type=CWD msg=audit(1369316967.983:994): cwd="/etc/openvpn" type=SYSCALL msg=audit(1369316967.983:994): arch=40000003 syscall=5 success=yes exit=4 a0=90fddc4 a1=241 a2=180 a3=90fddc4 items=2 ppid=32672 pid=32681 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1369316967.983:994): avc: denied { add_name } for pid=32681 comm="openvpn" name="log" scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir type=AVC msg=audit(1369316967.983:994): avc: denied { write } for pid=32681 comm="openvpn" name="openvpn" dev=sda3 ino=41295 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir ---- Configuration file contained among others following lines at the time: log /var/log/openvpn/log status /var/log/openvpn/status
---- time->Fri May 24 11:44:47 2013 type=PATH msg=audit(1369388687.005:83): item=0 name="/var/log/openvpn/log" inode=528110 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:openvpn_var_log_t:s0 type=CWD msg=audit(1369388687.005:83): cwd="/etc/openvpn" type=SYSCALL msg=audit(1369388687.005:83): arch=40000003 syscall=5 success=no exit=-13 a0=9a3ef5c a1=241 a2=180 a3=9a3ef5c items=1 ppid=6626 pid=6635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1369388687.005:83): avc: denied { write } for pid=6635 comm="openvpn" name="openvpn" dev=vda3 ino=528110 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_log_t:s0 tclass=dir ---- time->Fri May 24 11:44:47 2013 type=PATH msg=audit(1369388687.084:84): item=0 name="/var/log/openvpn" inode=528110 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:openvpn_var_log_t:s0 type=CWD msg=audit(1369388687.084:84): cwd="/etc/openvpn" type=SYSCALL msg=audit(1369388687.084:84): arch=40000003 syscall=33 success=no exit=-13 a0=9a41d20 a1=7 a2=6 a3=9a41d20 items=1 ppid=6626 pid=6635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1369388687.084:84): avc: denied { read write } for pid=6635 comm="openvpn" name="openvpn" dev=vda3 ino=528110 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:openvpn_var_log_t:s0 tclass=dir ---- time->Fri May 24 11:44:47 2013 type=PATH msg=audit(1369388687.089:85): item=0 name="/tmp" inode=327681 dev=fd:03 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 type=CWD msg=audit(1369388687.089:85): cwd="/etc/openvpn" type=SYSCALL msg=audit(1369388687.089:85): arch=40000003 syscall=33 success=no exit=-13 a0=80ba33f a1=7 a2=1 a3=bffb1c08 items=1 ppid=6626 pid=6635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="openvpn" exe="/usr/sbin/openvpn" subj=root:system_r:openvpn_t:s0 key=(null) type=AVC msg=audit(1369388687.089:85): avc: denied { read write } for pid=6635 comm="openvpn" name="tmp" dev=vda3 ino=327681 scontext=root:system_r:openvpn_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ----
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Well this does not relate with log and probably should be opened as a new bug.
The AVC was generated by the same TC and is a part of comment#1. Based on the recorded time I would say that the AVC is related to the scenario described in comment#0.
MIlos, could you re-test it with a local policy type openvpn_tmp_t; files_tmp_file(openvpn_tmp_t) manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
When the local policy module is loaded, the AVC does not appear any more and the daemon starts as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1312.html